Post navigation

NAT (Network Address Translation) can be configured in our Checkpoint FW in 2 two different ways: Manual or Automatic

Automatic NAT

To configure the automatic NAT, the SERVER object properties has a NAT section.
So for example, if we want our host with internal private IP 10.10.50.50 to be published in Internet with public IP 80.80.100.100:

(I we only wanted to apply outbound IP masquerading, we should have applied hide NAT type.
In this example, we are also trying to publish to Internet to receive incoming connections, so static NAT type.)

After applying the automatic NAT configuration, the firewall will start reply to the ARP request asking for the 80.80.100.100 public IP. Then the firewall will 'NAT' the packet and route it to the proper gateway or to the final destination.

Its very important to apply the NAT section of the host only to the gateway we want (Instead of all, the default option)

Otherwise, in a VSX environment, all VS firewalls can start to reply those ARP request, and so, steal packets among them.

Manual NAT

To configure manual NAT, instead of using the NAT section of our HOST object we can add rules on the NAT section of our firewall policy.
To recreate the same NAT configuration as the previous example, there must also be another HOST object with the public IP configured

Thanks Mark!
Yes, its possible by doing a manual NAT rule but instead of translating the destination, translating the source.
This can have sense for example when in another network you dont manage, access control is performed and “they” await all your packets as coming from certain concrete IP (the hide IP).
Dunno if i solved your question.

I have a question. After successfully configuring a Static destination NAT rules to allow internet users (public IPs) reach the SERVER_PUBLIC_IP, do you still need to all a firewall rule to allow that traffic? If YES, what would the rule look like?

Yes, you should create a rule on the policy to allow the traffic to the public IP (the POLICY is applied BEFORE the NAT).
– In case of an automatic NAT, for example, to allow HTTP port to internet users you should create a rule like:

Any -> SERVER_OBJECT (HTTP)

The SERVER_OBJECT contains both the private IP (on the global properties tab) and the public IP (on the NAT tab), so this is valid.

– In case of a manual NAT, you dont configure using the SERVER_OBJECT because it would only contain the private IP (it does not on the NAT tab when using manual NAT). So the rule would be something like:

Any -> SERVER_PUBLIC_IP_OBJECT (HTTP)

SERVER_PUBLIC_IP_OBJECT would contain the public IP on the global properties

I have an internal machine which i want to translate to a particular public ip when making outbound http/web connections. I created a manual hide nat rule that translates the source address from internal ip to public ip, and also added proxy arp rule for the public ip , but it does not work. The internal machine makes no connection to the outside…

Well explained! Needed that little bit of what if as I migrate rules over from ASA to Checkpoint.

Sometimes if someone else explains it with the right details, then things just click. I’m now able to talk about the existing ASA config and also talk about how, what if’s on the checkpoint as I migrate.

Can anyone tell me why we put the private ip in translated ip while we are create the rule with the NAT because we are doing the nat with the public ip.
Lets take example internal private IP 10.10.50.50 to be published in Internet with public IP 80.80.100.100:
So for above example public IP 80.80.100.100 should be in translated ip because we are translating the ip with the privte ip public IP 10.10.50.50.

can anyone explain me that why we put the private ip in the translated ip column instead of private IP while we are creating the manual rule because we are translating the private ip to public ip. So according to me public ip should be in translating ip and private ip in souce.

For Example:-

So for example, if we want our host with internal private IP 10.10.50.50 to be published in Internet with public IP 80.80.100.100:
Tanslated IP
Source Destination Service Source Destination Service
Any 80.80.100.100 Any Original 10.10.50.50 Original